CVE-2026-46549
NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation
CVSS Score
2.0
EPSS Score
0.0%
EPSS Percentile
0th
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1.
| CWE | CWE-863 |
| Vendor | nocodb |
| Product | nocodb |
| Published | Jun 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for nocodb nocodb
Be the first to know when new low vulnerabilities affecting nocodb nocodb are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
nocodb / nocodb
< 2026.04.1